Task Statements and Knowledge Statements

Video Activity

This lesson covers Domain 3 which is about IS acquisition, development and implementation and centers on providing assurance that the practices for the acquisition, development and testing of information systems meet the organization's strategies and objectives. This unit also discusses task and knowledge statements. [toggle_content title="Transcri...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
13 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Description

This lesson covers Domain 3 which is about IS acquisition, development and implementation and centers on providing assurance that the practices for the acquisition, development and testing of information systems meet the organization's strategies and objectives. This unit also discusses task and knowledge statements. [toggle_content title="Transcript"] Alright, welcome to domain number three. In this domain we'll be talking about the acquisition, implementation and development of information systems. The auditor is trying to provide assurance or confidence that the processes involved in getting systems into the environment are being followed correctly. So we'll look at our task statements for domain three. We start off with evaluating the business case. So this is a way of proving that there is a need for some system or some software and trying to make a connection between that need and what the leadership of the organization is willing to spend to achieve those goals. Then we have to think about evaluating project management practices. Are these projects being managed cost-effectively? Are they staying on-target? These are the kind of questions that might come up. Then the auditor has to conduct reviews to make sure that projects are moving along as expected. Reaching milestones, staying within budget, and so on. Number four is evaluating controls for the systems. There's a lot that goes into this, of course, but it's basically trying to make sure that the system is developed and tested properly before it's implemented. We need to think about number five; making sure that systems; after they've been properly developed and implemented, that they're ready to be moved into production and trying to have an eye for all the details that are involved in making that happen. Number six: conducting post-implementation reviews to make sure that the deliverables were done on-time and were done according to the plan. Alright, moving on to our knowledge statements for domain number three. Having knowledge of different business practices, realizing different benefits. Concepts like total cost of ownership and return-on-investment. These are important concepts because the leaders of the organization that are deciding money needs to be spent to achieve some goals want to be able to measure the performance of their funds as have been outlaid for various different initiatives. Knowing about project governance mechanisms: we'll talk about steering committees, project management offices and the oversight board. These are important groups within the organization to try to manage complex environments with lots of different projects happening simultaneously. Then we'll look at project management control frameworks; some different ways that you can think about managing projects, maybe using certain software tools to assist in these tasks. Then number four is looking at risk management practices. Risk management is a broad topic, as I mentioned in earlier sections. We also need to think about how it applies to managing projects. Then number five: knowledge of IT architecture. So understanding how the organization's architecture is designed, what the security functions are supposed to do, and so on. Then we have a few more to go here. Acquisition practices as it relates to dealing with vendors, contracts. There's lots of different details that will need to be covered relating to the acquisition of resources or tools. Number seven: requirements analysis. So are the requirements for a project detailed? Are they complete? Have they been verified? How do we deal with managing vulnerabilities, and so on? There's a lot of different details that go into this. What constitutes a successful project? What are the criteria that are used to judge whether something is successful or otherwise? Number nine: control objectives. These are concepts that are trying to understand how your applications actually work; what kinds of transactions happen in the environment and different ways to measure that and verify that transactions are being done correctly and completely. Then we move on to number ten: system development methodologies. Of course, some of the tools that go along with that; we have things like agile development prototyping, rapid prototyping, object oriented design. We move on to number eleven: testing methodologies. What's involved with testing a system during development and while it's actually in production? That's a topic that continues throughout the life-cycle of a system. The testing begins as early as possible in the process and should continue until that system gets de-commissioned. Configuration management, a big topic as well. We want to make sure that we can understand the change control process and how changes to a system or its environment of operation might affect other areas of the organization. So it's an area that needs to be focused on at some level. Then we have knowledge of system migration and infrastructure. So how do you move data around when systems are being de-commissioned, for instance, and you're replacing an older system with something new? How do we move the data? What's involved in some of those considerations? Then the last knowledge statement is a post-implementation review. This is sort of a lessons learned idea where once a system is in-place, or an application's in-place, doing some review after the fact to see how well everything went, or didn't go, and trying to identify those areas where there could be some type of improvement. [/toggle_content]

Video Transcription
00:03
>> Welcome to domain number 3.
00:03
In this domain, we'll be talking about the acquisition,
00:03
implementation, and development of information systems.
00:03
The auditor is trying to provide
00:03
assurance or confidence that
00:03
the processes involved in getting
00:03
systems into the environment
00:03
are being followed correctly.
00:03
We'll look at our task statements for domain 3.
00:03
We start off with evaluating the business case.
00:03
This is a way of proving that there is a need
00:03
for some system or some software
00:03
and trying to make
00:03
a connection between that need and what
00:03
the leadership of the organization is willing to
00:03
spend to achieve those goals.
00:03
Then we have to think about evaluating
00:03
project management practices.
00:03
Are these projects being managed cost effectively?
00:03
Are they staying on target?
00:03
These are the kind of questions that might come up.
00:03
Then the auditor has cast a conduct reviews to
00:03
make sure that projects are moving along as expected,
00:03
reaching milestones, staying within budget, and so on.
00:03
Number 4 is evaluating controls for the systems.
00:03
There's a lot that goes into this, of course.
00:03
But it's basically trying to make sure that
00:03
the system is implemented,
00:03
or rather developed and
00:03
tested properly before it's implemented.
00:03
We need to think about number 5,
00:03
making sure that systems,
00:03
after they'd been properly developed and implemented,
00:03
that they're ready to be moved into production,
00:03
and trying to have an eye for
00:03
all the details that are involved
00:03
>> in making that happen.
00:03
>> Number 6, conducting
00:03
post-implementation reviews to make sure
00:03
that the deliverables were
00:03
done on time and were done according to the plan.
00:03
Moving on to our knowledge
00:03
statements for domain number 3.
00:03
Having a knowledge of
00:03
different business practices
00:03
and realizing different benefits.
00:03
Concepts like total cost of
00:03
ownership and return on investment.
00:03
These are important concepts because the leaders of
00:03
the organization that are deciding,
00:03
money needs to be spent to achieve some goals,
00:03
want to be able to measure the performance
00:03
of their funds as there had been
00:03
outlaid for various different initiatives.
00:03
Knowing about project governance mechanisms,
00:03
we'll talk about steering committees,
00:03
project management offices, and the oversight board.
00:03
These are important groups
00:03
within the organization to try to
00:03
manage complex environments with lots of
00:03
different projects happening simultaneously.
00:03
We'll look at project management control frameworks.
00:03
Some different ways that you
00:03
can think about managing projects
00:03
or maybe using certain software tools
00:03
to assist in these tasks.
00:03
Number 4 is looking at risk management practices.
00:03
Risk management is a broad topic,
00:03
as I mentioned in earlier sections.
00:03
But we also need to think about how it
00:03
applies to managing projects.
00:03
Then number 5, knowledge of IT architecture.
00:03
Understanding how the
00:03
organization's architecture is designed,
00:03
what the security functions are
00:03
>> supposed to do and so on.
00:03
>> We have a few more to go here.
00:03
Acquisition practices as it relates to
00:03
dealing with vendors, contracts.
00:03
There's lots of different details that will
00:03
need to be covered relating
00:03
to the acquisition of resources or tools.
00:03
Number 7, requirements analysis.
00:03
Are the requirements for a project
00:03
detailed? Are they complete?
00:03
Have they been verified?
00:03
How do we deal with managing vulnerabilities?
00:03
And so on. There's a lot of
00:03
different details that go into this.
00:03
What constitutes a successful project?
00:03
What are the criteria that are used
00:03
to judge whether something is successful or otherwise?
00:03
Number 9, control objectives.
00:03
These are concepts that are
00:03
trying to understand how
00:03
>> your applications actually work,
00:03
>> what kinds of transactions happen in the environment,
00:03
and different ways to measure that and verify
00:03
that transactions are being
00:03
done correctly and completely.
00:03
We move on to number 10, system
00:03
development methodologies.
00:03
Of course some of the tools that go along with that.
00:03
We have things like agile development, prototyping,
00:03
rapid prototyping, object oriented design.
00:03
We move on to number 11, testing methodologies.
00:03
What's involved with testing system
00:03
during development and while
00:03
>> it's actually in production?
00:03
>> That's a topic that
00:03
continues throughout the life cycle of a system.
00:03
The testing begins as early as
00:03
possible in the process and should
00:03
continue until that system gets decommissioned.
00:03
Configuration management, big topic as well.
00:03
We want to make sure that we can
00:03
understand the change control process and
00:03
how changes to a system or its environment of operation
00:03
might affect other areas of the organization.
00:03
It's an area that needs to be focused on at some level.
00:03
Then we have knowledge of
00:03
system migration and infrastructure.
00:03
How do you move data around when
00:03
systems are being decommissioned,
00:03
for instance, and you're replacing
00:03
an older system with something new?
00:03
How do we move the data?
00:03
What's involved in some of those considerations?
00:03
Then the last knowledge statement
00:03
is a post-implementation review.
00:03
This is a lessons learned idea
00:03
where once a system is in
00:03
>> place or applications in place,
00:03
>> doing some review after the fact
00:03
to see how well everything went or didn't go,
00:03
and trying to identify
00:03
those areas where there could be
00:03
some type of improvement.
Up Next